Pipeline Risk Assessment

Risk assessment on any facility is most efficiently done by first dividing the facility into components with
unchanging risk characteristics. For a cross-country pipeline, this involves collecting data on all portions of the
pipeline and its surroundings and then using this data to dynamically segment the pipeline into segments of
varying length. Risk algorithms are applied to each of the segments, producing risk estimates that truly reflect
changing risks along the pipeline.

The risk estimating algorithms are conceptually very straightforward. However, as with any assessment of a
complex mechanical system installed in a varying, natural environment, there are many details to consider. This is
illustrated by an example risk assessment on a hypothetical pipeline. .

Varying levels of analyses rigor are available to risk assessors. For example, a resistance estimate might be
modeled as simply being related to stress level and pipe characteristics or, for more robust analyses, could include
sophisticated finite element analyses. In this example, a certain amount of detail is omitted in order to better
demonstrate the higher level principles.

To illustrate key concepts, one time-independent failure mechanism (third party damage) and one time-dependent
failure mechanism (external corrosion) are assessed. All other failure mechanisms will follow one of these two
forms. Estimates from all failure mechanisms can be combined in various ways to meet the needs of the
subsequent risk management processes.

Example:

A 120 mile pipeline is to have a risk assessment performed. For the

assessment, failure is defined as loss of integrity leading to loss of
pipeline product. Consequences are measured as potential harm to
public health, property, and the environment and are expressed in
units of dollars loss-ie, all consequences are monetized.

Verifiable measurement units for the assessment are as follows:

MEASUREMENT UNITS
Risk $/year
Probability of Failure (PoF) failures/mile-year
Consequence of Failure (CoF) $/failure
Time to Failure (TTF) years
Exposure events/mile-year
Mitigation %
Resistance %

Data is collected and includes Subject Matter Expert (SME) estimates

where actual data is unavailable. The integrated data shows changes
in risk along the pipeline route6,530 segments are created by the
changing data with an average length of 87 ft. This relatively short
average length shows that a risk profile with adequate discrimination
has been generated.
 A level of conservatism is defined as P90 for all inputs that are not
based on actual measurements. This is conservativea bias towards
overestimation of actual risks. P90 means that risk is underestimated
once out of every 10 inputs, ie, there will be a negative surprise only
10% of the time. The risk assessors have chosen this level of
conservatism to account for plausible (albeit extreme) conditions and
to ensure that risks are not underestimated.

For assessing PoF from time-independent failure mechanismsthose

that do not worsen over time, such as third party damage and human
error-- the summary equation is as follows:

PoF_time-independent = exposure x (1 - mitigation) x (1 - resistance)

As an example for applying this to PoF due to time-independent third-

party damage, the following inputs are identified (by SMEs) for a
certain portion of the subject pipeline.

Exposure (unmitigated attack) is estimated to be three (3)

third-party damage events per mile-year. This means that,
over this mile of pipeline, excavators will be operating 3
times per year and, in the absence of mitigation, will cause
damage to the pipeline three times per year
Using a mitigation (defense) effectiveness analysis, SMEs
estimate that 1 in 50 of these exposures will not be
successfully prevented by existing mitigation measures. This
results in an overall mitigation effectiveness estimate of 98%
mitigated.
SMEs perform a resistance analysis to estimate that, of the
exposures that are not mitigated, 1 in 4 will cause immediate
failure, not just damage. This estimate includes the possible
presence of weaknesses due to threat interaction and/or
manufacturing and construction issues. So, the pipeline in
this area is judged to have a 75% resistance to failure
(survivability) from this mechanism, given the failure of
mitigations.

Assuming that frequencies and probabilities are practically

interchangeable, these inputs result in the following assessment:

PoF_third-party damage
= (3 damage events per mile-year) x (1 - 98% mitigated) x (1
- 75% resistive)

= 1.5% (0.015) per mile-year

(a failure every 67 years along this mile of pipeline)

Note that a useful intermediate calculation, probability of damage

(but not failure), emerges from this assessment and can be verified
by future inspections.

(3 damage events per mile-year) x (1 - 98% mitigated)

= 0.06 damage events/mile-year
 (damage occurring about once every 17 years).

This same approach is used for other time-independent failure mechanisms and for all portions of the
pipeline.

In assessing PoF due to time-dependent failure mechanismscorrosion and cracking, the

previous algorithms are slightly modified:

PoF_time-dependent = (Time-to-Failure, TTF)

TTF = resistance / [exposure x (1 - mitigation)]

To continue the example, SMEs have determined that, at certain

locations along the 120 mile pipeline, soil corrosivity leads to 5 mpy
external corrosion exposure (if left unmitigated). Analyses of coating
and CP effectiveness leads SMEs to assign a mitigation effectiveness
of 90%.

Recent inspections, adjusted for uncertainty and considering possible

era-of-manufacture weaknesses, result in an effective pipe wall
thickness estimate of 0.220 (remaining resistance). Use of these
inputs in the PoF assessment for the next year is shown below:

TTF = 220 mils / [5 mpy x (1 - 90%)] = 440 years

PoF = 1 / TTF = [5 mpy x (1 - 90%)] / 220 mils = 0.11% PoF

So, the combined PoF from these two threats is estimated to be

0.015 + 0.0011 = 0.016 failures/mile-year. This 1.6% failure
probability can now be used with estimates of consequence potential
to arrive at overall risk estimates generated by these two threats.

SMEs have analyzed potential scenarios and determined the range of

possible consequences generated by a failure. After assignment of
probabilities to each scenario, a point estimate representing the
distribution of all future scenarios yields the value of $18,500 per
failure. This can be thought of as a probability-adjusted average
consequence per failure.

Risk assessors similarly calculate all risk elements for each of the
6,530 segments. To estimate PoF for any portion of the 120 mile
pipeline, a probabilistic summation is used to ensure that length
effects and the probabilistic nature of estimates are appropriately
considered. To estimate total risk, an expected loss calculation for
the full 120 miles yields $25,200 of risk exposure from this pipeline
per year of operation. The average is $210/mile-year.

Risk Management
The risk estimates generated in this way are extremely useful to decision
makers. Such estimates can become part of the budget setting and valuation
processes. In this example, the company first uses these values to compare
to, among other benchmarks, a US national average for similar pipelines of
$350/mile-year. The comparison needs to consider the P90 level of
conservatism employed. Often, a P90 or higher level of conservatism is
appropriate for determining risk management on specific pipeline segments,
but will not compare favorably to historical incident data since those generally
reflect P50 estimates.
Understanding how each pipeline segment contributes to the overall risk sets
the stage for efficient risk management.

Changing Risk Along a Segmented Pipeline

For risk management at specific locations, cost / benefits of various risk

mitigation measures can be compared by running what if scenarios using the
same equations with anticipated mitigation effectiveness arising from the
proposed action(s).
These estimates can also be used to establish safe enough limits by following
pre-determined risk acceptability criteria such as those proposed in CSA Z662
Annex 0.